If there’s one thing I’ve learned from being in the field of cybersecurity for nearly two decades, it’s that there is never, ever a dull moment. But in the past week, something different seemed to happen in cyberland. And it’s really quite disconcerting. We saw four major stories about how adversaries’ campaigns and methods hit the web with one common theme: the trust established by cryptographic keys and digital certificates is being misused everywhere. It’s not exotic anymore, nor is it hypothetical. It’s a real threat and happening with increased frequency. It’s also a high risk that threatens to undermine most, if not all, critical security controls.
Why? Because keys and certificates provide the foundation of trust for every app, website, and cloud today. And they are consistently being misused and compromised by attackers now. In their top 2015 predictions (also published in the last week), Forrester explained why bad guys are so interested: “Attackers who compromise trust end up with the keys to the kingdom.” Those keys to the kingdom are the keys and certificates on which we run our businesses everyday but spend very little time protecting.
So what actually happened last week?
All of these news stories should be a serious wake-up call for the infosec industry: the threatscape has changed, and attackers need trusted status, and they know they can get it by misusing keys and certificates. What else does this mean? Unfortunately, it means almost every single security control that you’ve spent millions on to protect your network, apps, and data, can be undermined and circumvented.
Why? Because hackers know they can get around your strong authentication with spoofing and man-in-the-middle attacks. They know you can’t decrypt all incoming SSL traffic and can’t see their new attack because your threat detection systems don’t have all of the keys to decrypt traffic. They know you’re privileged access management systems don’t know the difference between a good and rogue SSH key. They know all of your data protection systems can be foiled with the compromise of just one SSL key and certificate that won’t be changed for years.
Now, it may appear that the world is coming to an end. The foundation of trust of our digital systems—from banking, to the cloud, to mobile apps, to your business—is all based on keys and certificates and is under attack. Some have wondered, is the cryptoapolcalypse upon us? No, it’s not. But the threatscape has changed and we all need to respond. Edward Snowden’s comment from earlier this year is just one example of how we’re waking up to this problem: to circumvent security like encryption, the best method is to “try to steal their keys and bypass the encryption. That happens today and that happens every day. That is the way around it.”
I know many CISOs, security architects, and security operations teams will continue to spend more money on strong authentication, DLP, threat detection, SSL traffic decryption, privileged access management, and more. However, if we continue to blindly trust keys and certificates—don’t know how many we have, don’t know what they’re used for, can’t enforce policy, can’t detect anomalous certificates, can’t safely deliver them to threat detection systems to inspect traffic, and can’t replace one or many in seconds not weeks (incident response teams: remember Heartbleed?)—then we’ll continue to undermine all other critical security controls. It’s why the SANS20 Critical Security list has been updated to now include guidance on securing keys and certificates. It’s why the PCI Security Standards Council considered it a high priority in 2015 Special Interest Group selection to improve security for cardholder data.
Over the last month I’ve met with CISOs and their teams from Berlin to Sydney. The message is the same: the threatscape has changed and the risk posed by the misuse of keys and certificates is very high. CISOs, security architects, and security operations teams need to wake up and realize the root of the problem: you simply can no longer blindly trust certificates. Gartner’s Neil MacDonald simply described this as “living in a world without trust”—a reality that security professionals cannot tolerate if we expect to stay ahead of the bad guys and defend our businesses and customers.